Over the past few years, the RSA Security Conference has become a marquis technology industry event. It has really outgrown its humble roots in cryptography and Layer 3 and 4 packet filtering – now RSA is where technology industry bigwigs meet, drink exquisite Napa Valley wine, get a broad perspective of the cybersecurity industry, and do deals.
RSA’s emergence as a “must-attend” technology industry event is a good thing on balance. For one week of the year, business, government, and technology leaders descend on San Francisco and shed a spotlight on the global state of cybersecurity. But while this attention is a good thing, RSA has evolved into a high-level affair, focusing on the “why” questions surrounding cybersecurity.
Enter Black Hat, which takes place next week in Las Vegas. Rather than concentrate further on “why” questions, Black Hat is where you go to explore “how.”
To be clear, both areas are important. Senior business and technology executives need to understand the state of the threat landscape, hear details about massive data breaches, and internalize why they need to assess their organizations’ cybersecurity readiness. At this point however, decision making takes a 180 degree turn. Once CEOs recognize the need to address new cybersecurity risks, the obvious next question is, “how should my organization proceed?”
When cybersecurity conversations shift from “why” to “how” at RSA, the focus immediately turns to technology. Yup, I get it – vendors, service providers, and VCs want to capitalize on the sorry state of cybersecurity and make some dough. That said, Black Hat provides an opportunity to ask the other “how” questions around people and process. In my humble opinion, these areas equate to around 80% of the overall cybersecurity challenge.
I’m headed to Vegas (again) this Monday and my goal there is to seek out answers (or at least theories) related to “how” questions about people and process. Specifically, I want to learn as much as I can about:
- The bad guys. The cybersecurity industry tends to get hung up on malicious technical minutia – malware, IoCs, attack vectors, exploits, etc. Important stuff but this myopic focus tends to minimize the fact that there are actually criminals, spies, and vandals at the other end of TCP/IP pipes. Threat intelligence like the recently-published Cisco 2015 Midyear Security Report indicate that these bad guys are extremely agile and crafty, remaining a step or two ahead of the good guys. Who are these people? Where are they located? How are they organized? How do they communicate with each other? What types of tactics, techniques, and procedures (TTPs) are they using? Rather than focusing purely on weapons, Black Hat provides a unique opportunity to gain a better understanding about the human elements involved.
- The good guys. The cool thing about Black Hat is that you get to meet the brainy security folks behind the incident prevention/detection technology curtain – security researchers, malware hunters, SOC/CERT professionals, etc. This crowd can not only address many of the “how” questions about bad guys that I posed above, but also talk about what is and isn’t working on the defensive side. For example, I want to hear about lessons learned and best practices around processes and workflows related to incident response. What are the right steps to take and in what order? How do the best cybersecurity defenders in the world identify an attack in progress based upon a breadcrumb trail of evidence of logs, network flows, DNS activities, endpoint/network forensics, and threat intelligence? Who participates in this process? How do they develop their skills? What types of “gotchas” have they discovered? This is a critical aspect of cybersecurity that seems to fly under the radar for some reason which is a crying shame.
- Everyone else. If you dig deep enough at Black Hat, you can get an idea about all the constituents who sit on the periphery of the cybersecurity industry. For example, with all the money going into cyber insurance these days, Black Hat should be a good venue to judge how underwriters are assessing risk management and cybersecurity readiness of their customers today and how this process will progress in the future. Black Hat is also a good place to judge the cybersecurity paranoia and knowledge level within the federal government. Does the paranoia level remains high post Snowden? Is the knowledge level an inconsistent mix of in-the-weeds cybersecurity brainiacs, policy wonks, and clueless politically-motivated legislators? I’m also really interested to see if the government-centric conversation at Black Hat centers on public/private threat intelligence sharing nirvana. Given the technology, process, and legal immaturity in this area, chalk one up for clueless if this is the case.
A long time ago when I worked at EMC Corporation, a senior sales manager used to always proclaim that, “people who know how always work for people who know why.” In other words, business leaders make strategic decisions while worker bees hammer nails in the trenches as part of strategy execution. This may be true as a general rule but highly-experienced cybersecurity worker bees are in short supply so we ought to learn as much as we can from this group as possible.
That’s really why I’m a big fan of Black Hat as it shines a spotlight on the best of the good guys and the worst of the bad guys – an extremely valuable body of knowledge. As Sun Tzu stated, “If you know your enemy and know yourself, you need not fear the results on a hundred battles.”